https://success.trendmicro.com/solution/000296151 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>https://success.trendmicro.com/solution/000296151 <br/></td> CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"/>

Exploit
CVE-2023-52094

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Jan 23, 2024 / Updated: 10mo ago

010
CVSS 7.8EPSS 0.05%High
CVE info copied to clipboard

Summary

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. The specific flaw exists within the product update mechanism. By creating a junction, an attacker can abuse the updater to delete a folder. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Impact

An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. This could potentially lead to complete compromise of the affected system, allowing the attacker to gain full control over the machine, access sensitive information, modify or delete data, and perform any actions with system-level privileges.

Exploitation

One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.

Patch

Trend Micro has issued an update to correct this vulnerability. More details can be found at: https://success.trendmicro.com/solution/000296151

Mitigation

1. Apply the patch provided by Trend Micro as soon as possible. 2. Limit user privileges and ensure the principle of least privilege is followed to reduce the risk of initial low-privileged code execution. 3. Monitor systems for suspicious activities, especially those related to the product update mechanism of Trend Micro Apex One Security Agent. 4. Implement strong access controls and network segmentation to limit the potential spread if a system is compromised. 5. Regularly update and patch all software, not just the affected Trend Micro product, to reduce overall system vulnerabilities.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-52094. See article

Jan 11, 2024 at 8:03 AM / VulDB Recent Entries
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jan 11, 2024 at 8:04 AM
CVE Assignment

NVD published the first details for CVE-2023-52094

Jan 23, 2024 at 1:15 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Jan 23, 2024 at 9:24 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (379319)

Jan 24, 2024 at 10:15 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 12.6%)

Jan 31, 2024 at 4:57 PM
CVSS

A CVSS base score of 7.8 has been assigned.

Oct 28, 2024 at 7:11 PM / nvd
Static CVE Timeline Graph

Affected Systems

Trendmicro/apex_one
+null more

Exploits

https://www.zerodayinitiative.com/advisories/ZDI-24-028/
+null more

Patches

success.trendmicro.com
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

ZDI-24-028: Trend Micro Apex One Security Agent Updater Link Following Local Privilege Escalation Vulnerability
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2023-52094.

News

Multiple vulnerabilities in multiple Trend Micro products
Local privilege escalation due to a link following vulnerability - CVE-2023-52338 Apply the patch according to the information provided by the developer.
CVE-2023-52094
High Severity Description An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Read more at https://www.tenable.com/cve/CVE-2023-52094
NA - CVE-2023-52094 - An updater link following vulnerability in the...
An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation...
CVE-2023-52094
An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. CVE-2023-52094 originally published on CyberSecurityBoard
TREND MICRO, INC. TREND MICRO APEX ONE TREND MICRO APEX ONE AS A SERVICE CVE-2023-52094 CVE-2023-52094 An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. https://www. cve.org/CVERecord?id=CVE-2023- 52094 https:// success.trendmicro.com/dcx/s/s olution/000296151?language=en_US https://www. zerodayinitiative.com/advisori es/ZDI-24-028/ # TrendMicro ,Inc. # TrendMicroApexOne # TrendMicroApexOneasaService # CVE_2023_52094 # bot
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI